/ Scams

Why the PSR must take action to protect APP scam victims

We’re calling on the Payment Systems Regulator (PSR) to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams.

8/07/2021: the PSR must not let victims down

Today, Rich Piggin (@rpiggin), Head of External Affairs and Campaigns at Which?, is appearing in front of the Treasury Select Committee to give evidence about the devastating impact of bank transfer scams and what action the regulator needs to take to make life better for victims. 

The chances are that in the past year you either have, or know somebody that has, received a text, call or email that turn out to be a scam attempt. While we should all be vigilant online, nobody intends to be the victim of a crime. Scam victims frequently talk of feeling scared and untrusting of others after the event, and often feel re-victimised when their bank blames them for not realising quickly enough that something wasn’t right.

These victims all too often struggle to get their money back, despite most major banks being signed up to a code that should ensure customers are reimbursed when they are not at fault. Banks are failing to implement the Code that they helped to write properly and consistently. Don’t just take our word for it – the Financial Ombudsman and the Lending Standards Board (which oversees the Code and is funded by the banks) have both criticised banks repeatedly over the years for their failures. The result is a lottery of protection for victims.

The situation is unsustainable. Encouragingly, the Payment Systems Regulator (PSR) is proposing mandatory protections be introduced. One solution they have put forward is to let the banks modify and rewrite the existing code, effectively handing them the opportunity to water down the consumer protections they disagree with and ignoring the evidence from the last two years. We firmly oppose this. Instead, the regulator should take forward its other proposal and introduce a requirement on all firms to reimburse customers who have acted appropriately.

Self-regulation has failed. We must do better. Letting banks act as judge and jury when it comes to scams has not worked. We must put in place a new system centred on helping the victims of this terrible and growing crime.

Banks and the regulator have had two years to try and make self-regulation work. All the evidence shows that this approach has failed. £700k a day is being lost to this crime, but less than half of it is reimbursed. Victims – particularly vulnerable ones – are being routinely failed by banks whose actions are undermining the Code they helped to write.

It is vital that the PSR does not hand the banks the power to modify or rewrite the existing code. Instead, it must take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault.

Rich will be giving evidence from 10:30am today (Thursday, 8 July).  A longer version of this update appeared as an Op Ed in Times Redbox (paywalled content)


Do you agree that the regulator must not give banks the power to write their own rules on scam reimbursement?
Loading ... Loading ...

15/06/2021: Update

28/04/2021: PSR must take action

When you fall victim to a crime, you expect to be believed. If someone breaks into your house, you don’t expect the police officer to point out where you should have installed CCTV. If you get mugged, you don’t expect to be asked for proof of how you put up a fight. And if you fall victim to a sophisticated and intricate scam, you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

Yet that is exactly what is happening at the moment, with victims of authorised push payment scams (otherwise known as bank transfer scams) when they are tricked into unwittingly transferring money to a scammer. 

Which? News: Banks routinely blame victims of fraud

We receive information from hundreds and thousands of victims every year. The case studies we see highlight the impact on victims of this horrific crime – and how this is often exacerbated by banks who appear not to care about what has happened to one of their own customers who may have just lost a life-changing sum of money.

Blaming the victims

Recent evidence published by the Lending Standards Board (LSB) and the Financial Ombudsman (FOS) demonstrate just how poorly some banks are treating victims and the lengths they will go to to try and pin the blame on individuals rather than accept any wrongdoing on their part.

The LSB oversees a voluntary code that industry helped to write and which sets out protections for APP scam victims. The Code states that victims should be reimbursed other than in a few specific circumstances – and even then banks are expected to consider the scam in the round and how individuals may have been affected by the context of what happened and how.

Data showing just how well banks are adhering to the letter and spirit of the Code was recently provided to the LSB by signatories to the Code (which includes all the major banks plus Co-op, Metro, and Starling) and published earlier this year. 

It paints a damning picture of how banks are interpreting and implementing the Code in wildly inconsistent ways and how victims are being mistreated across the board:

🔹 Victims were held fully or partially to blame 60% of the time, and therefore often denied any reimbursement

🔹 Blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves, in a further 17% of cases

🔹 Two banks pinned the blame on victims in nine out of every ten instances

🔹 For investment scams – which often involve the highest amounts of losses – victims were blamed 67% of the time

🔹 Romance scams, which can involve extreme emotional and psychological manipulation, had a blame rate of 61%

Final adjudication

When a victim is dissatisfied  with the outcome of a decision made by their bank they can escalate it to the Financial Ombudsman for a final adjudication. In some cases, these decisions are published.

We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. 

These included HSBC telling a victim who lost £2,000 to a HMRC scam that it was “inconceivable” that he didn’t spot the red flags because he worked in a professional industry, and Nationwide refusing reimbursement of £1,146 because the victim “didn’t listen” to warnings given – despite receiving a call from a spoofed number which made her believe she was speaking to her building society.

In a separate case, Halifax only returned half of a £60,000 loss to an investment scam victim who had “failed to make sufficient checks” before investing – before backtracking after Which? intervened to point out they had never asked the victim what checks they had actually made.

All of these and more provide further evidence for what we have been saying for years: the banks are consistently misinterpreting the Code they helped to write in order to put the blame on the victim, and the Payment Systems Regulator (PSR) is doing little to ensure they adhere to the rules.

Our calls on the PSR

We are calling on the PSR to use its upcoming consultation to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams. It must do this as quickly as possible to prevent banks making this a race to the bottom, and many more victims being denied rightful reimbursement

That same consultation will also recommend a way to make APP scam protections mandatory. We strongly believe that industry has been given sufficient time and opportunity to provide the solutions so under no circumstances must the banks be allowed to write another new code to replace the existing voluntary one as the PSR has suggested. 

We will be continuing to make this case over the coming months so that the PSR stands firm and takes action to protect victims.

What would you say to the PSR if it suggested allowing the banks to write another new code?

Judith Schofield says:
8 July 2021

When did ever any public, technological or business organisation ever design regulations that were in anyone’s interests but its own.

John Humphris says:
8 July 2021

Allowing banks to write they’re own rules is akin to asking turkeys to vote for Christmes

Nidge Murray says:
8 July 2021

Introduce legislation which sets as default:

No transfer beyond a specified amount (that could be, say, £250) may take place without:
(a) 10 days lead time
(b) Active check by the Bank what the purpose is.

In the case or the frail & impared a further check could require
(c) a nominated trusted person be informed and their acknowledgement & permission to proceed is required.

The Bank, Building Society shall be wholly liable for any amount above the specified amount lost to scammers.

Below the specified amount anything lost to scammers is wholly the responsiility of the account holder.

The specified amount may be varied by the account holder to a lower or higher figure (which will reflet their circumstances & financial dealings).
That would need similar lead time and to be in writing.

People make choices and if those choices are made without consideration then they must acknowledge the fact that they made the choice and accept the consequences. This culture of “Oops! I made a mistake. Please bail me out with somebody else’s money” must stop. If the Bank(s) do something with a Person’s monies that results in a loss to the Person then the Bank must re-imburse the Person. From the reports I have read a lot of “scams” have been offering the Person(s) a profit for not outlay. Why would any Person think that there is a “free lunch”? If a Person, is offered something that “promises” a profit for “nothing”, the Person who accepts such an offer must take the loss, irrespective of the value, £0.01 or £1000000.00. Why should any other Person or Organisation be held responsible.

M. Moar says:
8 July 2021

There is a very good reason why we need a bank regulator. Banks are not to be trusted to look after anyone else’s interests but their own. The days are long gone when banks were held in high esteem. They have shown this all to often in the past and continue to do this. In what other profession would it be allowed for that profession to write their own Banks are orchestrating the demise of the high street banks and free access to our money as it is. They want us to access everything online and are unable to make this 100% safe for us. Banks are not invincible and neither is the ordinary human being. Mistakes can and do happen so the onus is on the banks to have safety mechanisms in place to prevent the mistakes/scams happening in the first place and also need to have the capacity to constantly upgrade this to keep ahead of the fraudsters. This they plainly have not done and from where I sit it would seem our politicians are unwilling/unable for whatever reason to hold them to account. This begs the question what are our politicians actually doing. It is long past time for the regulator to do it’s job without any more pussyfooting about.

Carol ALLEN says:
9 July 2021

Banks appear to be helping the public less and less!

I totally agree with the points made above! It is not only banks at fault or reluctant to do the right thing, it is also the politicians who are supposed to be there to support and protect the public, not big business and the scammers!! I have also been scammed but did not realise until I saw money starting to be taken out of my account on a regular basis! On this occasion the bank (Nationwide) were very helpful. Most of us are not specialist or trained techy people that understand all the aspects of the internet technologies/practices enabling us to better protect ourselves!

Alexander White says:
8 July 2021

It’s inconceivable that the Regulator should may such a silly suggestion as that banks design/decide their own regulations. What nonsense!

Stephen Hyslop says:
8 July 2021

The Regulator needs to be Regulated. Currently it is not. In other words it is passing the Buck.
The Buck of course is given to the Banks, which means they are not truley Regulated.
Not being truly regulated, they act as they wish.

Relate this to a Zoo where the lions are Regulated by a keeper who leaves the cage open.
You know the rest.

All banks should put a limit on bank transfer by delaying payment for a specified time such as 10 banking days and only allow a token payment to be transfered such as £100 to confirm the transaction is to a legal bank account with two center authentication.

My bank, and I presume others, gives me the option of making a bank transfer immediately or on a specified day. If I want time to think about my transaction I can choose the latter. Why do you need the bank todo what you can already do?

I certainly would never transfer £100 as a token payment to someone to check the authenticity of the account. I have transferred £1, checked it has gone to the correct recipient, and then transferred the balance. Before Confirmation of Payee that was an eminently sensible thing to do, mainly to check I had not mis-typed their account details.

malcolm, I think this is what we’ve got after too many decades of nanny state and fostering a “don’t worry help is on its way” society.

APP scams tend to involve cleverly crafted deceptions that con victims into giving all their money to scammers.

Banks can at least stand to raise sanity checks into the money transfer process. My bank’s mobile app now produces a pop up general scam warning before any money transfer is made from my accounts.

But wouldn’t it be great if receiving banks had a liability for returning any transferred funds?

The primary liability should be with the receiving bank, I agree. They need to justify whether or not they opened accounts with the right degree of scrutiny. If they did, if they could not be aware that an account would be used to carry out fraud, and if the sending bank correctly carried out a client’s instructions, then I would question why a liability to refund a transaction should rest with the banks.

A properly opened account should allow the account holder to be tracked down and, if they have carried out a fraud, prosecuted.

A problem seems to be that the receiving banks may well be outside our jurisdiction. Our banks may then not have the necessary power to require an investigation. So maybe our sending bank should warn us when a payment is going to such banks before we finally authorise the payment.

malcolm r says: Today 09:43

The primary liability should be with the receiving bank, I agree. They need to justify whether or not they opened accounts with the right degree of scrutiny. banks…

A properly opened account should allow the account holder to be tracked down and, if they have carried out a fraud, prosecuted.

As I understand it, many of these accounts were opened by students, who then sell them at the end of their courses to raise a few quid. If the fraudsters then set up a sweep on the ‘bought’ account to transfer all monies above – say – £1.00 to a Swiss account then there would be no way of tracking them down easily.

Maybe prosecuting the students, if indeed they are involved, would be a start.

Alan Landor-Hope wrote: “All banks should put a limit on bank transfer by delaying payment for a specified time…”

An unintended consequence of the faster payments system is that payments are made so quickly there is no opportunity to contact your bank and instruct them to block a payment if you realise that you have been scammed. There are numerous reports (including some on this website) of people realising they have been scammed by the time they have ended a call.

I have suggested that all payments to new payees are held as pending for a few days to allow time for customers to contact their bank and for investigation to take place. I see no reason to delay payments to existing payees. If individuals want to make a payment immediately, that could be an option, in the same way that it is possible to make a payment that fails confirmation of payee.

Banks must either work together to ensure that money can be reclaimed promptly from receiving banks in cases of fraud. An excellent example of banks working together was the creation of the ATM network managed by Link.

The introduction of the CRM Code to refund customers who have been tricked by scammers, unless it can be proven that they were negligent, provides a strong incentive for the banks to recover money from receiving banks.

Ian has mentioned accounts opened by students. I suggest that banks should place tight restrictions on new accounts and accounts monitored for suspicious activity. When I was a student I was not given a cheque book to start with and had to visit my own branch to withdraw or pay in money.

Customers can do their bit to tackle fraud, but the most effective could and should come from the banks.

If this were implemented as a routine, would you then absolve the banks from any responsibility if the customer, having had time to reflect, takes no action and allows the payment to proceed?

As I see it the many advantage of a delay in payments to new payees would be to reduce fraud. I’m surprised that banks are not pushing for this, which reduce the need to try and recover money on behalf of customers. Fraudulent cases would still have to be investigated and decided on their merits taking into account current requirements placed on them by legislation and the regulator.

Presumably those who realise they have made a mistake will contact their bank. We should see how many instances there are of this realisation by the customer. That could indicate whether delayed payments would be effective or not. Something Which? could investigate along with other suggestions.

Only the banks and regulator will have access to this information and I’m sure that the banks can find sufficient volunteers to test the system. Count me in. Some of the payments I make, for example online grocery orders, spend several days as pending payments, so a mechanism for automated delay already exists.

Alan Smith says:
8 July 2021

Is anybody, other than the members of the organisation involved, ever satisfied with the results of an organisation policing itself? There will always be suspicion.

D Gilzean says:
8 July 2021

In addition to making banks more accountable, once the criminals have been caught they should be forced to return the money and also pay compensation to the victim. The human rights of the victim must be made a priority.

Clarence says:
8 July 2021

What a ridiculous idea! I might as well write my own version of the Highway Code, in which only privately-owned motor-cycles are allowed on the motorways.

To the PSR: The new code had better be a lot better than the current one no matter who writes it. Otherwise your existence is pointless.

R. Demott says:
8 July 2021

Who thought that this was the right thing to do? Obviously, the banks will be very happy if they are allowed to write their own regulations. If allowed there will be no need for bank regulators because the banks will be regulating themselves. Currently, bank employees do not treat their customers with enough respect and it seems that they are being inconvenienced if the customers do not use a machine to do their transactions. Also, it would seem the bank employee is always right, I was directed to use a paying-in machine, it did not work, I informed a bank cashier who told me “of course it works, you have not used it properly. I’ll get someone to show you!” The paying-in machine did not work! After trying to get it to work for approximately 10 minutes I rejoined the queue and eventually saw the same cashier again. “Oh! It’s you again!” “Yes, I just want to pay some money in if that’s OK with you?” What should have been a five-minute transaction turned into 25 minutes. Banks regulating themselves is a bad concept and can only make the so-called customer, those who pay their wages, less likely to be treated fairly. The bank regulator is supposed to look after our interests, why aren’t they? Is it because the government is scared of the banks? I now bank with a building society where I am always welcomed.

Patricia Santer says:
8 July 2021

I am very scam aware; so when our bank suddenly called us out of the blue, a completely cold call, and asked to speak to my husband, we were suspicious that this was a scam, especially when the first question asked by the caller was to confirm date of birth. My husband therefore refused to give any further information, and said they should write to him of they required information. Two badly worded letters later arrived suggesting that if he didn’t comply with the requests for information, his access to his account could be suspended, and regular payments cease. Nothing was said about WHAT information was required or why. We did manage eventually to establish that the call had been genuine, as were the letters. 2 visits to a branch (10 miles away) had the branch manager just as confused as we were. This went to an official complaint which is not yet fully resolved: still no full explanation as to why my husband was targeted for such an inquisition as later took place.
Sorry if it’s a bit off topic, but why on earth are banks cold-calling their customers in this day and age of multiple scamming???

The PSR must instead take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault. The PSR must protect consumers all the time, meaning banks customers.

Jeffrey Brewer says:
8 July 2021

Over the last three decades most banks have proved to be totally untrustworthy and their current friendly statements sound very hollow to me. These institutions are the ones who manipulated the exchange rate and have paid fines and compensation to the customers they cheated. The biggest scandal being that as individual employees (perpetrators) they personally got away with it.

John Gibbs says:
8 July 2021

The banks use our money to make their extortionate profits so the least they can do is to ensure that our money is kept safe. And it is about time that they reduced their obscene profits and shared them with us by increasing the rate of interest that they pay investors. They are no longer the well ripen respectable institutions that they once were, they are now in the hands of yobs relatively speaking as opposed the the gentlemen that once were bankers. Banks are no longer respectable institutions, just places filled with fly-boys out to make a quick buck.

Bettina Arundell says:
8 July 2021

it is essential that the public stands together with this vital question because so many people, innocent and perhaps unaware of the seriousness of the present threatening situation, are too frail to stand up individually against the scammers. TOGETHER WE SHALL CONQUER!!!!!

David Morgan says:
8 July 2021

Any form of self-regulation is fraught with unfairness.

Since ALL transactions are inherently traceable and technically reversible, the banks could minimize this fraud by being forced to add a delay to all transactions so that they could be forced to block and reverse them if fraud was the cause.

My advice to all my friends an colleagues is that if you get a call from your “bank” tell them you will call them back; dial your Mum or the local Chinese restaurant, if the “bank” answers, put the phone down.

Then make a cup of tea, you just saved yourself getting robbed.

sandra brown says:
8 July 2021

When should any bank get a free reign to write it’s own rules at the expense of it’s customers when it comes to refunding one of their customers when they have been scammed ? During the pandemic scamming people on mobile phones/landlines has risen. One call I receivied was from HMRC saying I had owed them money and it was an automated call in an American accent. One week I had a scam call about my broadband service in for a week, the number they were using was changed to different ones and they some of the calls were either from a male caller or female; using the same script professing to be a well known telecoms provider and attempted to wear me down There are many people out in society who have been taken advantage of; banks don’t call, don’t disclose personnel details like account number to a stranger; hang up. When your mobile rings the person who is calling their number comes up on the screen if the number isn’t familiar to you hang up ! Don’t get into a conversation with the caller either the more you converse with them they usually have a script which is polished and sounds professional , usually these scammers work abroad on untraceable numbers.

A system without intermediaries is a system without intermediary risk, and thus has no need for regulation aimed at safeguarding against the types of risk presented by intermediaries. Human creativity in the situation of prohibition is unlimited. This has been proven many times before, most famously during alcohol prohibition times. Regulators can fail to protect consumers.. regulators fail to put bankers in jail, regulators fail to stop fraud & crime on epic proportions. Regulators fail to ensure poisonous gas emissions fall within strict guidelines. Regulators fail to ensure food allergens are consistently labelled to protect life. Regulators fail to protect pensioners life savings from scammers. Regulators fail when certifying certain aircraft as safe. Regulators fail to ensure build quality of new homes & that correct fire retardant materials are used in construction of tower blocks. Regulators fail to ensure blood isn’t infected prior to transfusions. Regulators fail to ensure clients can withdraw their own money if funds go belly up despite previous market appraisals. Regulators fail to monitor travel empires and warn against total collapse. Flaws in exams algorithms leave thousands of students devastated, but regulators press ahead amid longstanding ministerial pressure to prevent grade inflation. Since 2008 we have found out that gold is rigged & markets are rigged & that mortgages were fraudulent & rigged, that entire foreign exchange mechanisms were rigged & so far no one has gone to jail. The fines that regulators have charged are less than the profits made from the fraud & that is simply a licence to continue crime. Regulators are just helping companies, corporations & banks to avoid competition rather than protect consumers from getting ripped off. When press releases are written by or on behalf of the very banks or financial institutions you’re supposed to be regulating, you should be in jail also. A secure world is not created by the absence of crime, it can only be created by the presence of justice.

Ian Mcnulty says:
9 July 2021

I was scammed out of £18000 3 years ago (in 4 separate transactions.) After speaking to the fraud department they suggested I change my account number but I would have to do this in my branch. When I saw the manager 2 days later he agreed to refund the full amount but said “it’s difficult to change an account number so we will leave it for now but if it happens again we will change the account number then” I said “How can it be difficult if I go down to Barclays now they will give me a new account and £100 for changing with no difficulty at all.” I honestly got the feeling he wasn’t bothered at all and I even wondered if he was in on it.